[Bug 1006963] Re: sources.list configuration does not cover security

Wed Dec 12 21:29:12 UTC 2012

** Description changed:

  === Begin SRU Information ===
  [Impact]
   * Operating completely off-line (without access to *.ubuntu.com) is not
     really possible with cloud-init in 12.04.  The user can specify a
     mirror to use to cloud-init, and it will respect that input.  However,
     it will still write 'security.ubuntu.com' entries in
     /etc/apt/sources.list .  The fix in 12.10 was to add support for
     declaring the security mirror in addition to the "primary" mirror.

     Looking at the config snippet probably makes it obvious how this
     is done.  '$security' in the templates then references the specified
     security mirror, and the user can set that value by providing
     cloud-config syntax formed like the default below:

      | package_mirrors:
      |   - arches: [i386, amd64]
      |     failsafe:
      |      primary: http://archive.ubuntu.com/ubuntu
      |      security: http://security.ubuntu.com/ubuntu
      |    search:
      |      primary:
      |        - http://%(ec2_region)s.ec2.archive.ubuntu.com/ubuntu/
      |        - http://%(availability_zone)s.clouds.archive.ubuntu.com/ubuntu/
      |      security: []
      |  - arches: [armhf, armel, default]
      |    failsafe:
      |      primary: http://ports.ubuntu.com/ubuntu
      |      security: http://ports.ubuntu.com/ubuntu

   * this will allow users on fully disconnected networks to use cloud
     images with local mirrors without modifying the image.

  [Test Case]
   To demonstrate the problem, simply launch an instance in EC2.  The
   rendered sources.list will contain references to
   us-east-1.ec2.archive.ubuntu.com and also security.ubuntu.com .
   the default/fallback case was previously to use archive.ubuntu.com
   and there was no changing of security.ubuntu.com at all.  The result was
   that offline, an 'apt-get update' was guaranteed to fail even if the
   user specified 'apt_mirror'.

   You can demonstrate the fixed path by booting an instance with
   user-data like the following:
      |#cloud-config
      |system_info:
      | package_mirrors:
      |   - arches: [i386, amd64]
      |     failsafe:
      |      primary: http://my.archive.mydomain.com/ubuntu
+     |      security: http://my.archive.mydomain.com/ubuntu
      |     search:
      |      primary: []
      |      security: []

   You will see in /etc/sources.list, that there is no reference to
   "ubuntu.com" any more.

  [Regression Potential]
   * The change in behavior could change mirror selection in undefined
     ways.  We've not seen any issues with this path in quantal, though.
     This code is basically the same as is running in quantal just
     backported.

  === End SRU Information ===

  cloud-init will attempt to update /etc/apt/sources.list from its
  template, and allows the user to set 'apt_mirror'.  However, it does not
  allow the user to set the security.ubuntu.com entry.

  This has issues in 2 places:
  a.) internal and disconnected operation (no access to security.ubuntu.com)
  b.) arm.  For arm, there is no security.ubuntu.com

  Related bugs:
   * bug 1028501:  cloud-init selects wrong mirrors for arm

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
https://bugs.launchpad.net/bugs/1006963

Title:
  sources.list configuration does not cover security

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1006963/+subscriptions